In this episode of Cyber Thoughts, Lucas sits down for an engaging conversation with Jamey Cummings, a seasoned partner at JM Search, specializing in the dynamic world of cybersecurity recruitment. Jamey delves into his remarkable journey within the cybersecurity domain, leveraging his insights gained from years of experience to find and place top talent in the industry.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
[Lucas] Welcome to the latest episode of Cyber Thoughts, where we explore the industry of cybersecurity through leaders in the field. Today, I'm thrilled to welcome Jamie Cummings, a partner at JM Surge. Jamie focuses on cybersecurity, recruiting in the field, and this is gonna give him a great view into the market and where CISOs are going today. I'm really excited to have Jamie join us. Thank you, Jamie.
[Jamey] Lucas, great to see you again. Thanks for having me as a guest. I'm looking forward to this.
[Lucas] Well, pleasure's mine. So let's do the origin story. How'd you get into recruiting? And then why focus on cyber?
[Jamey] Okay. I think like a lot of others who are in the profession of executive recruiting, it never really occurred to me, frankly, earlier in my career that it was actually a viable career path. It's not something you typically think about when you go to business school. And for me, I guess if I take a bigger step back in my career, I've always had some left and right boundaries about what I want to do, but let things maybe happen a little bit organically. And that's what happened here. So after serving in the military, going to business school, still didn't know what I didn't know. And hence, I got into management consulting, which is a chance to kick the can down the road, figure out what it is you do want to do and learn a little bit more. And, you know, it made a lead to build your resume. And when I started exploring what I was going to do out of consulting...
I ran into some former colleagues who had gotten into executive recruiting, a fellow service academy graduate. And the more I learned about it, the more I was intrigued about the fact that, hey, you can have a really interesting career where you're dealing with people, you're impacting their careers. You can make reasonably good money doing it. I was able to stay put in Dallas, not move my family around every two or three years like I had been doing in the military.
It was interesting enough for me to say, let me learn more. And then the more I dug into it, and I still believe executive recruiting is essentially a different type of consulting. The outcomes are a little bit different. In fact, there is a tangible outcome. 98% of the time, you actually have a person who takes on a role. Whereas when I was consulting, frankly, there were times where I felt like we put together a lot of pretty decks and gave some recommendations, but you didn't really get a chance to see the fruits of your labor. And there are things that I think I did reasonably well, got good ratings on consulting, tenacity, client management, project management, engagement. And those are a few of the things that I have found help you be successful in executive search. So it was a little serendipitous, but I've been doing it for 16 years now, and I've obviously found something that I like.
[Lucas] And when do you start focusing on cybersecurity? Like what, you know, how long ago do you start that piece of it?
[Jamey] Around 2011, so I guess I'm in a bit of an example of you can reinvent yourself if you decide that you want to. So when I first got into executive search, I actually worked in the supply chain practice of another firm. And frankly, that was my major, but I did a lot of other stuff just to learn the art of executive search. And then I pivoted from one firm to another, really initially focused on aerospace and defense.
And it was around that 2011 timeframe where those of us who've not been in around cybersecurity as long as people like yourself, uh, that's when there became a lot more buzz in the market about, "Hey, this cybersecurity, this is the thing and there's going to be a lot of demand for this talent across that." You know, what I call the ecosystem, and I can get to that. So, uh, I was at a larger firm, and to their leadership's credit, they said, "This is something we need to be a part of. We want to go out and be leaders in really attacking this market." So they formed a brand new center of expertise called cybersecurity, which was, on the one hand, functional practitioners, CISOs, and director ports across all industries, but also an industry vertical for cybersecurity, so a bit of a hybrid. And what put together a team to attack that market. I was right place, right time, my military background.
I think they said, "Hey, you are in special operations security. We'll connect those dots, works for me." And another friend and colleague of mine, she had been an Army communications officer, also tangential to cybersecurity. And we were given the opportunity to go and really attack this and build a brand. And I've really been focused predominantly on that ever since. I also do some tangential like CIO and other work, they're very, very tied and integrated, if you will, on the technology security side. But it's been about 12 years or so, and it's been a pretty dynamic market and a lot of fun.
[Lucas] So why don't you explain to our listeners, you know, who are your customers and what kind of roles are you focused on filling for those customers?
[Jamey] So we have essentially two types of customers in what I call that cybersecurity ecosystem. For me personally, it's been more heavily weighted towards companies of all sizes and all industries who have needed to recruit a chief information security officer, CISO, or a similar role. And that's been pretty diversified. And one thing I like about that is you get to span a lot of industries. It's pretty interesting.
A little bit more recession-proof as opposed to being in a specific industry. I've been fortunate to recruit for Fortune 100 companies all the way down to $100 million private equity-backed companies and everything in between. So that's pretty diversified. And I think another key to success there is that both information security and technology I found to be a pretty fungible skill set and pretty transferable across industries.
Unlike maybe some other functions are less so, but I found as long as a person's got good business acumen and good learning agility, they can make that happen. Our clients are predominantly the hiring organization. You know, the hiring manager half the time or so is still CIO, but we've seen CISOs reporting into presidents, CFOs, chief legal officers. So our ultimate client.
can vary, but it's really pretty diversified. On the other hand, we do have a group that focuses specifically a little bit more in your world, Lucas, as far as where you, as political ventures are investing. We will help cybersecurity companies who, typically it's when they reach a certain milestone or tipping point in their trajectory of growth. Maybe they've gotten to a milestone where, "Hey, what got us here is not gonna get us there."
We need someone to professionalize our go-to market, our channel sales, our big logo sales. And it's often a chief revenue officer followed not far behind that by maybe a chief marketing officer. Occasionally, we will be asked to recruit a CEO to take over the reins from the founder to take it to that next stage of growth. And we have a separate team that does that work. And that's fundamentally a different talent pool, frankly, even though they're in the same ecosystem.
[Jamey] And on that, usually the client is the CEO, the board, which could be someone like yourself, for example, who decides, "Hey, we need to make a change." And we also do a lot of work with private equity firms. So a lot of the private equity firms, they're invested in companies at a different stage than you. So they are probably more likely, more frequently, to be in a position where they need to make some substantial changes in their executive team.
[Lucas] Gotcha. So I do want to talk about kind of how you make the jump to CSO and what kind of backgrounds are great for that. But before we do that, I thought it'd be interesting to talk about the kind of market broadly as a whole. So there's been a lot of layoffs the last 12 to 18 months. We all know the market's been hit. Have you seen that in cybersecurity? How does that look from cybersecurity versus kind of the overall broader tech?
[Jamey] Okay. I will talk about this in terms of more of the former bucket, more of the CISO community across all industries. There has been over the last several years a bit of a cyclicality. This is anecdotal. I don't have any reams of data to support this, but there's times where like one or two dominoes will fall in the CISO market, and all of a sudden it'll create opportunities, and it becomes almost a game of musical chairs. I think part of that has been that, you know, that if the CISO role itself is high visibility, very important, as executive teams and boards become more consistently aware of the fact that this is not a check the box, you've got to have someone in here ideally who's consistently building and maintaining a robust program, they tend to be more comfortable with someone who's been there done that. You know, as such, my experience has been that the number twos often have been less likely to get their shot. I think it's changed a little bit recently. And this is once again, just my observation is that I feel like a lot of the bigger roles have been filled. So people are settling in, tending to stay where they are a little bit longer.
I think the compensation is still good, but maybe is leveled out just a little bit. And so people are being a little bit more cautious also because frankly, it kind of feels like this big recession is three months away, continues to be three months away like every quarter. But I still think in the back of people's mind, they want to be really selective about making a move just because of that uncertainty in the market. And that throws sand in the gears of the market for talent for CISOs and CIOs, frankly, and other functions for my colleagues here at the firm. So I would say the market is still good. There's still a market for CISOs out there, but it's not nearly as gangbusters or robust as it was, say, there's about a two-year period up until late last year, maybe Q1 this year, and it slowed down a little bit. The other thing that we see from an executive recruiting perspective is that there's a
[Jamey] I'm getting a lot more inbound from people saying, hey, I'm open to an opportunity. Please keep me in mind. But you do not hear about as many searches. And I believe it's for two reasons. One is what I mentioned before is just not as much movement. Two, I feel like I've heard of instances where the number twos are getting their shot. The organization is just saying, hey, we've got a better succession plan than we used to. The next generation of talent is ready to go.
And as such, you're seeing people get the promotions, which, you know, personally is, I think, good. You, you got to build that next generation of talent. Uh, and then, you know, there's just not as much search work to go around. The last thing is that. Compared to say five years ago, I think information security was a bit of a foreign concept to a lot of internal talent acquisition teams. And so I think they felt more comfortable going to an external expert. I feel like, uh,
Especially larger companies have increasingly robust internal talent acquisition programs, and they feel perfectly fine going and doing the searches themselves. So we in the executive search industry find that we have pretty stiff competition, very capable competition with internal talent acquisition teams as well. So that's a bit of a long-winded answer, but those are some of the dynamics I've observed in and around the CISO market for talent.
[Lucas] So one thing I want to get some data from you on before we delve into, you know, kind of making the jump to light speed, how to become a CISO is you mentioned compensation. What are those compensation bands? I've heard a bunch of different numbers from, "Hey, that sounds like a pretty good career" to "I can't believe someone gets paid that much." So can you give me the, the ends of that? So our listeners can get an idea of, you know, what CISOs get paid.
[Jamey] Yeah, and I get this question a lot, Lucas, and I'd say it depends. And it's still all over the map. Compared to the CIO market, it's still not quite as mature or developed as it will be. So when I say it depends, on the one end, you've got big fortune whatever, Fortune 100, 500 companies.
In particular, not surprisingly, financial services is the industry that tends to pay the most. So your top CISOs at some of the big, big banks, definitely well into seven figure type compensation. If you look at base bonus long-term incentive, I've heard anecdotally, some of them are in a two, three million dollar range, if not more. That's, those are outliers. The next...
Where I've observed recently is, not surprisingly, the technology industry.
Some of the compensation expectations recently have been a little eye-popping to me, actually. They're not necessarily quiet at the range of financial services, but technology firms have tended to pay quite well. And those are a little bit heavier on the equity side. It's not gonna be all cash, just given some of the market caps of these companies, they're able to provide pretty robust compensation on that front. And some of those are well into seven figures.
I would say if you're looking at your more run-of-the-mill fortune 500 publicly traded company that's several billion dollars, it can range anywhere from five ish 600 all the way up to just shy of or maybe into the low seven figures range, but it's really still pretty broad. And then for smaller companies, whether private equity-backed or otherwise, the packages are going to be different.
[Jamey] And it's a little bit, the valuation is different because they're going to be more contingent upon some sort of liquidity event. What's the upside potentially for their equity? So that the cash will tend to be a little bit lower in those environments as a result because that's just, that's the private equity model. But hopefully that's a, that's a pretty broad range, but it's definitely compared to a couple years ago, continued to be pretty robust, especially for people who are.
have been a CISO in a couple of times, I think they can command a premium if someone really wants to land them. Is that along the lines of what you would expect based upon your conversations with CISOs?
[Lucas] Yeah, no, definitely is. The big surprise for me has been it's kind of like waiters, right? You tip your waiter based on how much you spent, not how much work they did. And so some of these CSO jobs are giant jobs, and they pay half of what the same job is at another place. And the organization size may be the same. The amount of stuff you're dealing with is the same.
[Lucas] So willingness to pay, you know, it's an interesting problem set, right?
[Jamey] It is, and it's still fairly inconsistent out there. And part of the job that we have as executive recruiters is to, to the best of our ability, paint a picture of what the market will bear. We will go out in the market, we'll cast a wide net, we'll look at those that have been there, done that, versus maybe an up-and-coming talent, and where possible we will.
At least get their compensation expectations because you may be aware that certain states, many more than they used to be, there are these pay equity laws, so legally I can't ask you your current compensation. So we have to find a way to at least get to some sort of expectation, but that's what we do is we'll say, hey, for this level of talent, what you're looking for, here's the price tag. And the internal compensation teams, they have...
I'm not sure what databases they look in, but my experience has been pretty consistently that we have real-time knowledge of the market, and I personally put more stake in that, because that's what people are telling us versus information in a database. But that's a pretty common thing where we may butt up against what the market is telling us and what the internal composition teams are telling us. So that's a pretty common rub, actually.
[Lucas] So you mentioned making the jump. Number twos, if someone wants to end up as a CISO, what kind of backgrounds are people looking for today? What's the common transition path? If you said, OK, I want to be a CISO five, 10 years from now, or three to five years from now, what skill set do you think is going to be the one? There's been times where it was much more law enforcement focused.
[Jamey] Thank you.
[Lucas] There's people that come out of legal, and then there's obviously people that come out of tech. Where do you see that skillset falling out? What are people really looking for today?
[Jamey] Well, people can come from all those types of backgrounds. From tech, it could be sometimes it's audit and risk. Sometimes it is, like you said, law enforcement, military. But for me, pretty consistently, it comes down to some of the intangibles and the soft skills. It may be a little bit different for a more highly technical company. If you've got someone where, hey, product security is really important, well, that's going to be a more technical type person.
Whereas some of them, these non-technology companies, it's very much almost like program management, risk management, broad coordination and facilitation and policy type of role. So it comes down a lot to business acumen, executive presence, the ability to develop and maintain strong relationships, the ability to communicate effectively executive level, concepts that are technical, but in layman's terms, if you will.
the ability to put things in context of the organizational strategy, the risks, and where it all sits. Increasingly, you also have being pulled into other areas such as privacy. Working especially companies that have operations in Europe, but with, I can't remember the acronym, but California has its own version of a privacy law. You're increasingly having, what's that?
[Lucas] GDPR and GDPR for Europe, right?
[Jamey] Yeah, for Europe, yes. I'm blanking on the equivalent in California, but there's an acronym for it. As a result of that, dealing with legal HR on the privacy side of things. Then you've also got increasingly supply chain, third-party vendor risk management. So I know some CISOs have been put in place.
people, a role specifically focused on supply chain security. Because your risk is being extended into your supply chain now. So if you pile all those things on together, it's just more, it's being pulled more and more directions. You have to be more agile and diversified. The ability to lead leaders, frankly, because you can only be in one place at one time, you're only one person. So those are the skill sets I've seen. And increasingly, that's why, one of the reasons that you're.
starting to see more CISOs ascend to the CIO position. They're building broader capabilities and they really are in the fabric of what's going on within the organization. They're getting exposure to boards of directors more often. And frankly, I think some CISOs are not really keen to keep rinsing and repeating and doing the same role at another firm.
I'd say also increasingly with this recent SEC guidance on disclosures of breaches and things like that, I think some CISOs are less inclined to put themselves in that position now. I was thinking, well, I've already done this. I think I'd rather be a CIO or a CTO and do something a little bit different. So obviously, to see how that evolves over the coming years where the generation of CISOs decides what they want to do next in their career as opposed to just being another CISO editor.
[Lucas] I've definitely seen some of that where CISOs have ended up as deputy CIO and kind of moving up, you know, moving into broader pastures as opposed to, you know, going to the next company because it used to be, yep, you do the job at company A and then five years later you do the same job at company B. I'm starting to see them move up within their own firms. That's been an interesting point.
[Jamey] I think so. Well, the other added benefit to that is, then it's providing opportunity for that next generation to take the reins and get that experience, which is a good thing. And I think personally, one of the things I've really liked about working in this community is that there's a shared mission, a shared cause, where obviously you have to be careful about exchanging sensitive information.
That may be competitive from one company to the next, but there's a sense that, hey, we're all in this together. We're fighting the good fight. And we wanted to continue to attract and develop that next generation of talent. So this is another way to facilitate that. People getting their first shot being the CISO.
[Lucas] Excellent. So I think my last question on this kind of realm is where do you find your best talent? So, I mean, obviously you can just do a LinkedIn search for CISOs, but you've got to do more than that. So where do you find that talent? I don't need to give up any secrets, but what are you looking for?
[Jamey] Yeah, I don't think there's anything super magical about this, but we will start with a number of areas. Certainly, first and foremost, we're tapping into our networks of people that we already know and that is very powerful because you can find people that look really good on paper, but until you spend time with them, speak with people who know them, get some good referrals, whether it's maybe it's someone who reported their former boss or a former colleague says, “hey, Lucas is rock solid. You got to get to know that guy.” That'll help you short fuse the process of evaluation a little bit. Also, industry peers. We have a lot of clients and we do, we put a lot of stock into how people are viewed by their peers in the community. That's one area. To another obvious one, like you mentioned is we,
We're going to look at some of the companies that have good brand names and just have a reputation for developing good talent. We call them Academy companies. We'll try to pull from them. Maybe a really strong number two is a divisional or a regional CISO really hungry to take on their first position and maybe a smaller to medium sized company. Or maybe people who have then proven they can move to a smaller company and have achieved what they want to, and they're ready to make a move. And that's a combination of certainly LinkedIn.
Increasingly, you can find CIOs and sometimes CISOs on a company website and just go find them. We also will look at maybe who are featured speakers in conferences, people who are thought leaders. You can find, those are different ways to find people, not just through LinkedIn, but through other means of putting themselves out there, developing their own brands and reputation in the market. And we just bring a multi-pronged approach. On the one hand, we'll say...
Hey, let's assume we've never done this search. We're gonna do a whiteboard, green field. Where are these people likely to be? Let's go find them combined with leveraging our networks and our password to really, you definitely wanna make sure that you tap into people you already know, but you wanna supplement that so you're not just recirculating and rehashing the same sort of talent. So it's really that combined approach where we try to find the best talent available.
[Lucas] Gotcha. All right, so I guess, you know, last, what resources do you personally use to keep up with the market? Like if for, you know, how do you stay plugged in?
[Jamey] When it comes to things regarding cyber security, I will never pretend to be the expert in any of it. But as far as what's happening more from a talent perspective, a lot of it is, for me personally, it's just the consistent dialogues I'm having with people. Hey, what are you hearing from a candidate perspective? What searches are out there? What's the general flow of inbound calls? And that helps me just get a bit of a pulse of the market, what's happening.
And then I don't really particularly read any security magazines or anything like that. To me, it's just more through relationships and conversations. That's just my personal approach to it.
[Lucas] Alright, so rapid fire. We always end with these two questions. What's your favorite book today?
[Jamey] My most favorite book recently was Boys in the Boat.
[Lucas] Oh, what's that? I don't know it.
[Jamey] So The Boys in the Boat is a story of the 1936 Olympics in Berlin. Hope I have that year right. And it's an amazing story of the crew team, the US crew team, who went over there at a time of amazing, pretty substantial political, geopolitical upheaval. And it's a bunch of country boys from the University of Washington. And it talks about how
They trained together, the agony they went through, the teamwork, and the fact that they overcame pretty substantial odds together as a team to do what they did. It's very humbling and inspirational just to hear about it. It's a great book, and part of my reason is that there's a fellow Naval Academy friend of mine who's a bit of a ringleader, gets us together and.
We're about to start here soon. Rovember is 30 days straight of rowing workouts. And I gained an appreciation for how grueling that can be. And I personally love, uh, one of my favorite sports now for actually in summer Olympics is the eight man crew. Just to see the level of coordination that they have to have the teamwork and just sheer guts. Uh, anyway, it was a, it's a very inspiring and very interesting story. Uh, a colleague of mine gave it to me.
And I think I read it in like two or three days. It's pretty amazing.
[Lucas] Great. And then finally, what's your favorite information medium? How do you like to learn things? Is it YouTube videos, books, online? Like how do you take in new knowledge?
[Jamey] Combination. In some ways, I still like to read some magazines and newspapers just because I need to take my eyes off the screen occasionally. So for me, I'm a pretty avid reader of a wide variety of publications like The Economist, The Atlantic. I like to read Wall Street Journal, New York Times. I want to hear multiple perspectives and form my own opinions, frankly. Also podcasts and ebooks.
Audible books. I found that helps me, whether I'm working out or otherwise, to actually be able to do what I want to do. The one challenge with an Audible book is that there are times where I get distracted and I don't retain as much. So if it's more for entertainment, I'll do that. If I want to retain it, I'll have to go listen again and write some notes down. And then the last one is podcasts. I found podcasts, whether it's The Economist or Sam Harris or a Scout Galloway.
I really like to hear their podcast because I think they're pretty fair, reasonable, rational guys that are calling balls and strikes and I just really like what they have to say. So those are the media that I personally listen to and read the most frequently.
[Lucas] Awesome. Jamie, let me first thank you for coming on the podcast. It's been great talking to you. Before we leave, any plugs you want to add?
[Jamey] Well, I did a shameless plug for Jam Search. You know, we, I think we're a well-kept secret out there and we are a little under the radar, but little by little we're trying to change that. We're a, it's a great firm, great team-oriented culture, very focused on client success and delivery. We've got a great team. So I just put in a plug for Jam Search and thank you for the time. And they could find us at jamsearch.com.
[Lucas] Happy Vuflade!
[Jamey] And they can always find me on LinkedIn. I'm a frequent poster of a variety of topics on leadership and development. And that's another place to follow. And if you find them very interesting, please let me know. If you've got any topics that would be of interest, I'm happy to try to opine on those in my post as well.
[Lucas] Awesome. Thank you so much for coming on today. I appreciate it.
[Jamey] Thank you, Lucas. I enjoyed it. The time flew by.